I have a question for you if you can help me on this.
Is customer PII considered as Information in ISO27001:2013 Standard?
If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement?
This question confuses me on allowing exclusions in ISMS